[Security concerns] Unauthenticated access to camera Snapshots

vanzano — Tue, 19 Mar 2019 20:48:15 GMT

Hello Guys, I'll try to make this as simple as possible so everyone can understand why this should be a concern for those who care about security.

The problem: Anyone can access your camera snapshots if they have the URL, that means unauthenticated access to your data!

Scenario: You are browsing your Arlo cameras on a shopping/company/free/friends/whatever WIFI network. Lets suppose the network Admin/owner has SSL strip or any form of proxy/MITM device between you and the internet.

This case is very common in Corporate networks where your device trust an Intermediate Certificate authority. That is done to allow Firewalls/AV software to open your SSL tunnel and analyse your traffic.

So the exact moment when you open your ARLO mobile app it makes some calls:

First it calls the authentication API - https://arlo.netgear.com/hmsweb/login/v2
Second it calls de Device list API - https://arlo.netgear.com/hmsweb/users/devices

and after that it populates the thumbnails of your cameras with the last snapshot they took.

Once the APP calls the Device list API, it returns the URLS required to retrieve camera snapshots, but the problem is that anyone that possess the URL can access it from anywhere without being authenticated.

You can easly replicate this experiment doing the steps below:

Required Tools:

Postman
Basic knowledge of API/Calls

First step is authorizing yourself, like the mobile app do. To do so create a post call in Postman as demonstrated below:

URL: https://arlo.netgear.com/hmsweb/login/v2

Call type: POST

Headers: Content-Type:application/x-www-form-urlencoded

Body: {

"email":"YOUR_ARLO_USERNAME@YOUR_EMAIL.COM",

"password":"YOUR_ARLO_ACCOUNT_PASSWORD

}

You'll get the response below:

Now do a get call to the device list url using the TOKEN value that you got after authenticating in the last step:

URL: https://arlo.netgear.com/hmsweb/users/devices

Type: GET

Headers: Authorization:INSERT_THE_VALUE_OF_TOKEN_FIELD_HERE

and you'll get a JSON, look for the ones where it says in the deviceType: camera. These devices are your cameras, you'll probably recognize them by the name you gave. At this point just copy the content of field presignedFullFrameSnapshotUrl and navigate to it on any browser and you'll get your camera snapshot. If you send it to a friend or anyone it will also work.

So that all being said I would like to hear from Netgear/Arlo on this topic. To me it feels very unsafe to leave access to these URLS without authentication. What was the thought process behind it ?

Re: [Security concerns] Unauthenticated access to camera Snapshots

AncientGeek — Tue, 19 Mar 2019 19:14:05 GMT

You should submit this on BugCrowd.

Re: [Security concerns] Unauthenticated access to camera Snapshots

vanzano — Tue, 19 Mar 2019 19:25:52 GMT

It’s not a bug. It was designed like that. It is working as intended.

The problem is that it’s unsafe.

Re: [Security concerns] Unauthenticated access to camera Snapshots

AncientGeek — Tue, 19 Mar 2019 19:27:51 GMT

@vanzano wrote:
It’s not a bug. It was designed like that. It is working as intended.

The problem is that it’s unsafe.

Many security problems were "designed that way". This is a security problem. I'd report it and see if Arlo agrees with you that it is a problem and if so, you might get a small check for your troubles.

topic Re: [Security concerns] Unauthenticated access to camera Snapshots in Arlo Pro

[Security concerns] Unauthenticated access to camera Snapshots

Re: [Security concerns] Unauthenticated access to camera Snapshots

Re: [Security concerns] Unauthenticated access to camera Snapshots

Re: [Security concerns] Unauthenticated access to camera Snapshots